Oregon DHS sending 645,000 notices of data breach
The Oregon Department of Human Services announced Tuesday it is sending notices by mail to approximately 645,000 clients, notifying them that their personal information was compromised during a previously announced January data breach.
It is not known if the compromised information, which includes personal health information, was viewed or used inappropriately, the agency said.
The department said it is providing 12 months of identity theft monitoring and recovery services, including a $1 million insurance reimbursement policy, to individuals whose information was accessible. This service is provided by ID Experts and is called MyIDCare.
Instructions on how to enroll in the MyIDCare service is included in each notification letter.
The department was targeted by an email “phishing” attempt. A phishing email was sent to department employees on Jan. 8, 2019. Nine employees opened the phishing email and clicked on an internet link that gave the sender access to their email accounts. Beginning Jan. 9, these nine employees started reporting problems.
All affected accounts were located and access to the nine affected accounts was stopped by Jan. 28. On that date, the department and the Enterprise Security Office Cyber Security team confirmed that the phishing incident was a data breach. The investigation confirmed that no other email accounts had been compromised and that no malware had been installed on department desktop computers or laptops.
Initial review of the incident indicated up to 2 million emails might be involved. After the breach was contained, the department began its electronic forensic investigation and analysis to identity exactly what data was compromised. Due to the exceedingly large amount of data and its complexity, the state determined that it would be appropriate to hire an outside firm, ID Experts, for data analysis.
Once it was confirmed that the compromised data included personal information, the department created an incident call center and website with information about the breach. The public was notified on March 21.
Most client information involved in the breach was in email attachments, like reports. The exposed client information includes first and last names, addresses, dates of birth, Social Security numbers, case numbers, personal health information, and other information used in DHS programs. The personal health information includes Protected Health Information (PHI), covered under the Health Insurance Portability and Accountability Act (HIPAA). Not all of these information types was exposed for each person.
ID Experts is providing MyIDCare, identity theft monitoring and recovery services, to affected individuals on behalf of the department.
Starting Wednesday, June 19, the department is sending individual notices and enrollment instructions to those who have been impacted, including notices to clients whose personal health information may have been involved.
Department clients who have questions about the breach or who need help enrolling in MyIDCare can call (800) 792-1750 toll-free or visit http://ide.myidcare.com/oregonDHS.
Keeping personal information secure for people the department serves is very important, the agency said. The department has closed access to the email web application involved in the phishing attack. The department maintains safeguards in place to protect its clients’ personal information, including keeping security updates and patching up-to-date, completing independent security assessments, and using special software. The department also regularly trains its staff about recognizing phishing attacks.
The department has also notified the top three national credit reporting agencies of the incident. These agencies are TransUnion, Experian and Equifax.
Anyone concerned about identity theft is encouraged to contact these reporting agencies for a copy of a current credit report at AnnualCreditReport.com or call (877) 322-8228 (Option 1) toll-free.
This can also be done in writing to:
Annual Credit Report Request Service
P.O. Box 105281
Atlanta, GA 30348-5281
Placing a credit freeze
All consumers have the option to freeze their credit reports for free. Parents may request a freeze of the credit report of a child under the age of 16. The guardian, conservator, or person holding a valid power of attorney for an individual may also request a credit report freeze for that person.
Below is each company’s freeze contact information:
Equifax, (800) 349-9960 (Automated, Option 1) or (888) 298-0045 (Live)
TransUnion, (888) 909-8872 (Option 3)
Experian, (888) 397-3742 (Option 1 followed by Option 2)
Anyone that suspects they are the victim of identity theft should report it to the Oregon Attorney General’s Consumer Protection Division and the Federal Trade Commission.
For information on how to report suspected identity theft and for information about protecting your identity, visit:
The Oregon Attorney General’s Consumer Protection Division at https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/.
Federal Trade Commission consumer information on Privacy, Identity & Online Security at https://www.consumer.ftc.gov/topics/privacy-identity-online-security.